Not only configurable, but tunable as well -- you can configure how many times it tries to query a backend, and what to do based on the result from the backend.
I'd need to check the nss_ldap code, but last time I looked (which was a _long_ time ago, so very possible it changed, especially since I believe I filed an RFE on this years ago), the ldap backend would never return an 'unavailable' code, only a result or 'try again'. By default, the nss front end will retry the backend forever when it gets a 'tryagain' result. I found it to have some 'interesting' side effects. If the ldap server was bogged down, obviously lookups would be slow, which was bad for clustering software that was doing 'su - user -c cmd' (even if the account was local, su has to call getgroups(2) which in turn will have to check all backends for the group database). The cluster software would think the service had timed out and cause a failover!. The workaround was to set a fixed number of attempts when querying a backend, and then failing it (via nsswitch.conf configuration). On Fri, Jul 30, 2010 at 5:35 PM, Scott Rotondo <[email protected]> wrote: > On 07/30/10 12:44 PM, David Brodbeck wrote: >> >> This *can* be worked around by making sure every machine has a valid >> local user with access to the root role -- sort of. pfexec becomes >> extremely slow if you have incorrectly configured LDAP -- as in >> several minutes of waiting to run a single command. I suspect it >> tries to look up userIDs via LDAP first and has a long timeout. Best >> to su to root in that situation. > > Have a look at /etc/nsswitch.conf. The search order is configurable. > > Scott > > -- > Scott Rotondo > Senior Principal Engineer, Solaris Core OS Engineering > President, Trusted Computing Group > Phone: +1 650 786 6309 (Internal x86309) > _______________________________________________ > opensolaris-discuss mailing list > [email protected] > _______________________________________________ opensolaris-discuss mailing list [email protected]
